from the be-forewarned dept

The Sixth Circuit court of appeals has now made it clear: you have no expectation of privacy in your butt dials. The full ruling makes for some fascinating reading. Apparently a guy named James Huff made what must be one of the most expensive butt dials in history. Huff, who was chairman of the Kenton County Airport Board (in Kenton, Kentucky) which oversees the Cincinnati/Northern Kentucky Airport (CVG), was in Europe on a business trip. At one point, he tried to call Carol Spaw, the executive assistant of the airport's CEO, Candace McGraw, to see if Spaw could schedule a dinner reservation for him and another board member. His call failed, but after another board member with Huff successfully reached Spaw, it appears that Huff's phone, in his pocket, called again and he was -- unknowingly -- successfully connected with Spaw.

At this point, though, Huff was already talking with the other board member, Larry Savage, about possibly replacing Spaw's boss, McGraw. Spaw proceeded to then continue to listen and transcribe notes of what was being said, including recording parts of the call, which lasted for approximately an hour and a half (yes, from Italy to Kentucky, so... the price of the call alone was probably quite a lot, not counting the eventual legal costs). As for why she did this:

Spaw claims that she
believed that she heard James Huff and Savage engaged in a discussion to discriminate
unlawfully against McGraw and felt that it was her responsibility to record the conversation and
report it through appropriate channels.

Eventually Spaw typed up the notes she had taken, hired a company to enhance the audio of the recording she made and shared both with other board members. Huff was... not happy. He (and his wife) sued Spaw, claiming illegal wiretapping under 18 USC 2511. The lower court tossed out this claim, and the Huffs appealed.

Here, the court examines whether or not Huff had a reasonable expectation of privacy in his conversation, and notes that he knew there was such a risk and had, in fact, made such errant calls in the past. Thus, he had no reasonable expectation of privacy, since it was his own negligence that resulted in the butt dial:

At his deposition, James Huff admitted that he was aware of the risk of making
inadvertent pocket-dial calls and had previously made such calls on his cellphone. A number of
simple and well-known measures can prevent pocket-dials from occurring. These include
locking the phone, setting up a passcode, and using one of many downloadable applications that
prevent pocket-dials calls.... James Huff did not employ any of these measures. He is no different from the person
who exposes in-home activities by leaving drapes open or a webcam on and therefore has not
exhibited an expectation of privacy.

The court rejects the claim, made by the Huffs, that such a ruling would mean no one had any expectation of privacy in their phone calls:

The Huffs warn that, if we do not recognize James Huff’s reasonable expectation of
privacy in this case, we would deprive all cellphone-carrying Americans of their reasonable
expectations of privacy in their conversations.... We disagree. Not
recognizing James Huff’s expectation would do no more injury to cellphone users’ privacy
interests than the injury that the plain-view doctrine inflicts upon homeowners with windows or
webcams. A homeowner with an uncovered window or a broadcasting webcam lacks a
reasonable expectation of privacy with respect only to viewers looking through the window that
he neglected to cover or receiving signals from the webcam he left on. He would retain a
reasonable expectation of privacy in his home with respect to other means of observation, for
example thermal-imagery devices.... Similarly, James Huff retained an
expectation of privacy from interception by non-pocket-dial means, such as by a hidden
recording device or by someone covertly causing his cellphone to transmit his statements to an
eavesdropper..... James Huff lacked a reasonable
expectation of privacy in his statements only to the extent that a third-party gained access to
those statements through a pocket-dial call that he placed. In sum, a person who knowingly
operates a device that is capable of inadvertently exposing his conversations to third-party
listeners and fails to take simple precautions to prevent such exposure does not have a reasonable
expectation of privacy with respect to statements that are exposed to an outsider by the
inadvertent operation of that device.

So, the failed lawsuit would then be the second part of why this was likely the most expensive butt dial in history.

Of course, it's not a total loss for the Huffs. As noted earlier, it wasn't just James Huff who sued, but also his wife, Bertha. Apparently part of the overheard conversation was between James and Bertha, and the court is much more receptive to Bertha's "reasonable expectation of privacy" claim. The lower court had said she didn't have a reasonable expectation of privacy, since she knew that her husband's phone might butt dial someone. The appeals court finds that to be a bit more ridiculous.

If Bertha waived her reasonable expectation of privacy from pocketdials
by speaking to a person who she knew to carry a pocket-dial-capable device, she would
also waive her reasonable expectation of privacy from recordings and transmissions by speaking
with anyone carrying a recording-capable or transmission-capable device, i.e., any modern
cellphone. The district court’s holding would logically result in the loss of a reasonable
expectation of privacy in face-to-face conversations where one party is aware that a participant in
the conversation may have a modern cellphone. As nearly every participant in a conversation is
a potential cellphone carrier, such a conclusion would dramatically undermine the protection
that Title III grants to oral communication.

And thus, the court sends it back down to the lower court to determine if Spaw's answering of the phone, listening to the call she received and taking such notes (and recording part of the call) constituted "intentional use of a device" to intercept Bertha Huff's oral communications. Most of that seems like a stretch -- though the fact that, at one point, she did have someone go get another phone with which to record the call at least raises some questions that make it not so cut and dried.

Either way, the moral of the story: don't butt dial. And, if you do: don't then discuss figuring out a way to fire the boss of the person you butt dialed.

from the everybody-loses dept

As we just got done discussing, AT&T, Verizon and Sprint recently were able to dodge a long-running lawsuit alleging the companies have been dramatically overcharging the government for wiretaps for more than a decade. The lawsuit was filed by former New York Deputy Attorney General John Prather, who spent thirty years in the AG's office (and six years on the Organized Crime Task Force in NY) helping to manage wiretaps and invoices for wiretap provisioning. Prather filed the suit on behalf of the U.S. government, but telco lawyers were able to have the suit dismissed by arguing that Prather couldn't technically sue the telcos under the False Claim Act as a whistleblower, because he filed the original complaint while working for the government.

Now it appears that at least one of the telcos is being focused on for round two, with the news that the government is suing Sprint for overcharging for wiretaps under CALEA. Under CALEA phone companies are allowed to recoup "reasonable expenses," but the lawsuit claims that Sprint overcharged the government to the tune of $21 million, overinflating charges by approximately 58 percent between 2007 and 2010. The Prather case claimed the telcos overcharge for taps in general, but have historically dodged culpability by simply hitting the government with large bills that don't itemize or explain why a wiretap should magically cost $50,000 to $100,000.

Sprint appears to have been specifically nabbed by the Justice Department’s Inspector General because it wasn't clever enough about passing on the costs of modifying its network to adhere to CALEA back to the government, something the law prohibits:

"Despite the FCC’s clear and unambiguous ruling, Sprint knowingly included in its intercept charges the costs of financing modifications to equipment, facilities, and services installed to comply with CALEA. Because Sprint’s invoices for intercept charges did not identify the particular expenses for which it sought reimbursement, federal law enforcement agencies were unable to detect that Sprint was requesting reimbursement of these unallowable costs."

It should be interesting to see if AT&T and Verizon face similar lawsuits down the road, or if their lawyers and accountants were simply better at obscuring overbilling. It's kind of a lose-lose scenario for you and me either way. Not only do we get to be spied on, we likely paid for these wiretaps both on the taxpayer side and on the telco side as the companies passed on both real and imaginary wiretap costs to you.

from the not-so-hard-justice dept

AT&T and Verizon's ultra-close relationship with government surveillance efforts have been profitable in innumerable ways. Obviously being a loyal patriot means you'll have a better chance of grabbing multi-billion dollar military and government communications contracts. Carriers also pass on most of the costs of outfitting their network for easier surveillance (like those live fiber splits AT&T whistleblower Mark Klein exposed) directly to you, the consumer. Lastly as we've discussed more than a few times whenever pricing sheets leak, they make a pretty penny on law enforcement wiretap requests. Maybe a bit too pretty.

Back in 2009, former New York Deputy Attorney General John Prather filed a lawsuit on behalf of the U.S. government, accusing Verizon, AT&T, Sprint and Qwest (now CenturyLink) of overcharging federal, state and city governments for services under CALEA. Prather, who helped lead the NY AG's Organized Crime Task Force from 2002 to 2008 as part of thirty years as a prosecutor, was intimately familiar with wiretap procedure and spent years in charge of invoices for wiretap provisioning. Prather claimed telcos had aggressively been price gouging law enforcement for some time, jacking up prices year over year without any sensible explanation why some wiretaps should cost in some cases $50,000 to $100,000 each.

Prather claims he filed a complaint with the FCC in 2004, who did nothing about it. Prather's lawsuit was dismissed a few months back (pdf) after the court claimed his insights were conjecture in that he didn't provide enough first hand evidence of fraud. That degree of proof was required because, according to telco lawyers, Prather technically couldn't file a whistle blower lawsuit under the False Claim Act and claim he himself was the "original source of the information" -- because he filed the original complaint while working for the government.

As a tiny win however, the court this week stated that phone company lawyers couldn't prove that Prather was filing the lawsuit simply to harass the phone companies, and as such they're be required to at least pay their own legal costs related to the case:

"Furthermore, the phone companies "fail to show that Relator's action was 'clearly vexatious' or 'brought primarily for purposes of harassment' as there is no evidence that relator pursued this litigation merely to annoy or embarrass defendants," the ruling states. "Conversely, Relator asserts that he brought this action 'in an attempt to bring to light the fraud of the telecommunications carriers, and to help insure that the Law Enforcement Agencies would not be hindered in their investigation of crime.'"

Understand that Verizon and AT&T have a long and proud history of taking all manner of subsidies, tax breaks or other incentives for services never delivered, and when they do deliver, over-charging like any good unaccountable government contractor. The combination of excellent lawyers, an apathetic government afraid of taking on larger companies and the fact that phone companies are simply damn good at it -- has historically allowed them to get away with pretty much whatever they've wanted. Actually requiring the phone companies to pay their own lawyers may not not sound like much, but when AT&T and Verizon lawyers are involved, it's dramatically more than you'll usually see in cases like this.

from the as-expected dept

It appears that some of the details that resulted in Lavabit shutting down have been unsealed, and Kevin Poulsen, over at Wired, has the details and it's pretty much what most people suspected. The feds got a court order, demanding that Lavabit effectively hand over the keys to everyone's emails. Lavabit's Ladar Levison refused, and he was then threatened with $5,000/day fines, contempt of court charges and possibly more.

Initially, Lavabit was sent a pen register order letting the government know every time Ed Snowden logged in (Snowden's name is redacted, but it's clear that this is about him). Lavabit said that it wouldn't defeat its own encryption system, and the court quickly ordered Lavabit to comply:

By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”

A week later, prosecutors obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit email account [redacted] including encryption keys and SSL keys.”

Once again, Levison refused to reveal the SSL keys, leading to the $5,000 per day fine imposed by Magistrate Judge Theresa Buchanan. The fines began August 6th. Lavabit shut down on August 8th.

Again, something along those lines was what many people had assumed happened, but now it's been confirmed. Kudos to Levison for standing his ground on this. I know that people in our comments like to insist that every company should act this way, but it's not nearly as easy when its your life's work on the line, and you have the entire US government (including huge monetary fines and the possibility of jail time) coming down on you.

from the no-that-won't-be-absued-at-all dept

We've talked a lot about how the Justice Department (DOJ), mainly via the FBI, has been pushing for years to change the laws in order to require tech companies to build wiretapping backdoors into any and every form of communication online. As we've explained over and over again, this is a really silly proposal, that won't make us any safer. Instead, it's likely to make us a lot less secure, because those backdoors will be abused, not just by law enforcement, but by those with malicious intent who will work hard to find the backdoors and make use of them.

The latest proposal on this front is equally ridiculous. While it wouldn't dictate specific wiretapping/backdoor standards, it would require that companies make some sort of backdoor available or face rapidly escalating fines.

Under the draft proposal, a court could levy a series of escalating fines, starting at tens of thousands of dollars, on firms that fail to comply with wiretap orders, according to persons who spoke on the condition of anonymity to discuss internal deliberations. A company that does not comply with an order within a certain period would face an automatic judicial inquiry, which could lead to fines. After 90 days, fines that remain unpaid would double daily.

This would be a disaster for innovative companies and for public security and privacy as well. The DOJ really needs to learn that not everything must be tappable. As it stands now, if I just sit on a park bench talking to someone, the DOJ can't tap it. Sometimes law enforcement doesn't get the right to hear everything I have to say. That's the nature of freedom and privacy protection that we're supposed to believe in. I'm sure with the news that chat apps are now more popular than SMS worldwide, law enforcement folks think that they need to "do something" to make sure they can spy on those conversations, but that's not true. Yes, it may make their job harder at times, but in a free country, the focus should be on protecting the freedom of the people, not decimating it to make the job of law enforcement easier. Those who commit crimes leave other clues beyond their communications online. Tapping such communications will lead to a massive security risk and huge expense for many innovative companies (likely slowing down the pace of innovation in that space). Is that worth it just so the DOJ can spy on what you have to say? That seems doubtful.

from the uh.... dept

Want to know one reason why the feds are so interested in giving blanket immunity to anyone who helps them spy on people? Perhaps because they're already telling companies that they have immunity if they help them spy on people. Specifically, they've issued special letters of immunity, more or less helping companies like AT&T ignore the Wiretap Act.

Senior Obama administration officials have secretly authorized the interception of communications carried on portions of networks operated by AT&T and other Internet service providers, a practice that might otherwise be illegal under federal wiretapping laws.

The secret legal authorization from the Justice Department originally applied to a cybersecurity pilot project in which the military monitored defense contractors' Internet links. Since then, however, the program has been expanded by President Obama to cover all critical infrastructure sectors including energy, healthcare, and finance starting June 12.

Basically, the Justice Department, at the urging of the NSA, went to various telcos and ISPs and issued secret letters which told them that if they violated the Wiretap Act, the DOJ promised them it would not prosecute. Not surprisingly, this kind of thing is not what you would generally consider legal. However, after CISPA... it would likely be more protected:

A report (PDF) published last month by the Congressional Research Service, a non-partisan arm of Congress, says the executive branch likely does not have the legal authority to authorize more widespread monitoring of communications unless Congress rewrites the law. "Such an executive action would contravene current federal laws protecting electronic communications," the report says.

Because it overrides all federal and state privacy laws, including the Wiretap Act, legislation called CISPA would formally authorize the program without the government resorting to 2511 letters. In other words, if CISPA, which the U.S. House of Representatives approved last week, becomes law, any data-sharing program would be placed on a solid legal footing. AT&T, Verizon, and wireless and cable providers have all written letters endorsing CISPA.

Apparently, the DOJ knew how problematic this was, and the CEOs of the various ISPs had indicated how worried they were about this program, but it still went forward. In secret, of course. Until now.

Suddenly the emphasis on getting CISPA approved, and the attempts to frighten everyone with scare stories of what will happen without it, make a bit more sense...

While T‐Mobile does not disclose the number of requests we receive from law
enforcement annually, the number of requests has risen dramatically in the last decade...

Perhaps more troubling may be the tidbit that Julian Sanchez noticed in Sprint's response (pdf), in which they admit to 52,029 court orders for wiretaps:

Over the past five years, Sprint has received approximately 52,029 court orders for wiretaps; 77,519 court orders for the installation of a pen register/trap and trace device; and 196,434 court orders for location information. [...] Over the same time frame Sprint received subpoenas from law enforcement agencies requesting basic subscriber information. Each subpoena typically requested subscriber information on multiple subscribers and last year alone we estimate that Sprint received approximately 500,000 subpoenas from law enforcement.

As Sanchez notes, this is problematic, because Sprint -- which is just the third largest mobile operator -- appears to be claiming more court orders for wiretaps than various officials reports to Congress of how many wiretaps had been sought in total. In other words, either Sprint's definition of "wirtetaps" is different than everyone else's, it's number is wrong... or... someone's been lying to Congress.

Certainly a report of 52,029 wiretaps over five years--and that just from the third largest carrier in the country--is remarkable in and of itself. But it’s also more than double the number of all wiretaps counted in annual reports required by federal law. The Administrative Office of the U.S. Courts keeps track of the number of wiretaps authorized each year for criminal investigations. The Justice Department files an annual report to Congress on individual warrants issued by the Foreign Intelligence Surveillance Court for intelligence investigations. (If you don’t feel like wading through, The Electronic Privacy Information Center has charts and graphs that should make it clear.) The total number of all wiretaps counted in the official reports over the five year period 2007–2011 comes to 24,270. I’ve made a table breaking it down year by year:

YEAR

TITLE III (Criminal) Wiretap Orders

FISA (Intelligence) Wiretap Orders

2011

2,732

1,745

2010

3,795

1,579

2009

3,043

1,320

2008

2,631

2,083

2007

2,927

2,370

TOTAL

15,173

9,097

The obvious question: How is one cell phone carrier—and not the largest by a longshot—reporting 27,759 more wiretap orders than the official numbers acknowledge for all carriers?

from the maybe-someone-who-understands-tech dept

After an apparently, technically clueless judge ruled last week that WiFi is not a radio communication, and thus suggested Google's collection of open WiFi data represents illegal wiretapping, Google has asked for an immediate appeal on that point, noting that "reasonable judges could disagree," and that fighting a whole trial on other points wouldn't make sense if another court says WiFi is, in fact, a radio communication and, thus, an open WiFi network is not subject to wiretap laws.

from the it-shouldn't-be... dept

In the consolidated cases against Google for intercepting some unencrypted data passing over open WiFi networks as part of its Street View operation, the judge is now looking to determine if basic packet sniffing is the equivalent of an illegal wiretap. Google, and one would imagine, most people who understand the technology, are arguing that's silly. The nature of WiFi is that it takes the unencrypted bits and makes them wide open to anyone on that network. That's how the technology is designed. If you don't like it, you encrypt. Arguing, retroactively, that seeing the data that is put in the open on purpose is somehow an illegal wiretap seems silly, but that's what the case hinges on. Hopefully, the judge is either technologically savvy enough to understand this, or can be well educated in the nature of how an open WiFi network works... Otherwise, a lot of people may be facing wiretapping charges for activity that many people consider perfectly normal on a network.

from the unintended-consequences... dept

The unfortunate, if not surprising, news story making the rounds today is that the feds in the US are looking to pass new laws to legally require a wiretap backdoor in every kind of internet communication offering. Yes, you read that right. If there's any way to communicate online, the US government is demanding the right to be able to wiretap it. Any company that doesn't comply will face fines. This despite the long history of the US government massively abusing its wiretapping privileges repeatedly throughout history.

And, yes, this would supposedly apply to non-US communications services as well:

Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.

Yeah, that'll go over well. It's difficult to see how this is any different than foreign governments demanding access to others' communications as well. It's pretty ridiculous for President Obama to talk about open internet principles to the UN, while cooking this up at the same time. Pushing for this also means that the US will have no excuse when the governments of Iran, China and elsewhere also demand backdoors into all US-based communications.

And, really, that's the biggest problem with this law. Beyond the inevitable privacy violations by the feds, putting backdoors into communications technologies guarantees that those backdoors will be used by others (outside of the federal government) to snoop on communications. The FBI and the NSA (who are pushing for this) are being totally and completely naive if they think that they're the only ones who will use this. We've pointed out in the past how large scale surveillance systems mean large scale security risks, and this is no different. We showed how a similar surveillance system in Greece was hacked into to spy on government officials. US officials should be aware that they're opening themselves up to these same potential risks.

And, the simple fact is: this won't help and it won't matter. The people who really want to communicate secretly will still use tools to communicate secretly. The feds are (once again) being naive to think that such tools won't exist and won't be widely known and widely utilized. Instead, all this will do is open up everyone else to abuse of the system by other governments, organized crime, people with malicious intent and (of course) the US government.